Smarten Up! The Spoof is On

I was at a client’s office when the email – to her as president of a service organization – arrived, asking for a wire transfer of money. Other members of the organization got the same message, and some actually sent money. A scammer had spoofed a name or email address that was recognizable. This is becoming a growing problem. Is technology making us stupid?

The answer is “no,” but it is making us careless because it gives us the ability to do too many things too easily with too little forethought. That, in turn, leads to doing stupid things – and that’s what spoofers and other Internet-based thieves are counting on now and will continue to do so.

Email seems to open the doors to your computer and your data more conveniently than anything else. The biggest breach opportunities come when you click on something or follow through on instructions because you didn’t take the time to look carefully at an email and when you send sensitive information in an unencrypted email.

Spoofing is the most effective way to get you to open an email and link yourself to trouble. It’s remarkably easy to recreate a company’s logo and attach a fake email address to it. When many people see what they think is a legitimate logo, they just click to open. If nothing jumps out as a red flag, they’ll continue to a bogus website, and BINGO, it’s too late.

People are particularly susceptible to spoofs at this time of the year. Online merchandise sales continue to grow at holiday time, and merchants or shipping companies often send tracking info so you’ll know when your packages should arrive. If you take a little time to look at the message, you’ll probably see that the domain attached to the shipper or merchant bears no resemblance at all to the company. You might also note that the message itself is generic – and it likely has misspelled words or syntax that just doesn’t fit how we converse in the United States.

If you want to verify the tracking on a package, you can go onto the merchant’s or shipper’s website and enter a tracking number you received when your order was confirmed. If you don’t have that number, there is often a way to get the information.

Similarly, as we move from the holiday season to the tax season, be especially careful of financial-related information. There’s a reason why your financial advisor doesn’t let you leave trade information on voicemail or email. They don’t want your financial data left out in the open, and you should feel the same way. When financial advisors and institutions – and even healthcare providers – have messages for you, they generally tell you to access them on their secure websites – and require you to sign in.

DO NOT click a link on an email you think was sent to you by anyone who wants financial, health or other sensitive personal data. If you know the website, open a new browser window and go to the website by typing in the website address. Even if the domain name in an email looks correct, something like “[email protected]” can really link to “you’vebeenscammed.com.”

And, of course, never, never send user names, passwords, credit card info, bank accounts, Social Security numbers (even the last four digits) or other personal information in an email. Unless you and the other party have activated a mutually agreed-upon encryption process, the data is wide open. Email messages can go through multiple communications systems, and it’s impossible to know when a data thief is waiting to pick off any number of random messages at any point. They can pick off thousands in the blink of an eye and then take their own sweet time pulling out key info and wreaking havoc.

It all goes back to convenience vs. security, with a dose of distraction thrown in for good measure. We’ve had clients accidentally open a door to their computers, and the invaders took their info and denied the owners access to their systems. Fixing it on the computer end generally requires a visit from us, and then there’s the nerve-wracking hassle of working with other companies to close your breaches. When you have to go through all of that, it’s more than just an inconvenience.

We’re not telling you anything you don’t know. We are telling you to take a deep breath and a closer look at your email and the links inside them. We’re also telling you not to send sensitive information in emails. If you think you may have had a breach in your security, we can help you patch up your computer system. We can also help you set up an email encryption system. Call us – 973-433-6676 – or email us with your questions or to have us help resolve an issue.

Following the Money Conversations

Money is the only reason somebody steals information. Some 70 percent of the emails that lead to information theft are related to either financial institutions, businesses or something that mentions money in the subject line. Another 20 percent are related to espionage, and 5 percent are related to employee grudges. In most cases, curiosity kills your security.

Phishing expeditions are still one of the most effective ways for hackers to get into a computer system, and that’s because people have insatiable curiosity, especially when it comes to money. We’ve told you time and time again to be very careful about the links you click on from within an email. It is so easy for a hacker to mimic the logo of any bank or financial institution and to create an email address that can be close enough to looking real that you won’t notice it’s a fake in your haste to check out a great offer or respond to a dire warning.

So, as we’ve mentioned ad nausea, your curiosity could open the door to a Trojan horse virus that will enable someone to get into your computer. And once they do that, they can insert themselves into your financial conversations. To whom are you talking about money? Is it your financial advisor? Is it an attorney or a CPA? Is it your bank, credit card company or several merchants? They can identify every single one of them just by looking at your email. After all, you keep thousands of them in your Outlook application or on a website – which they can easily find once they get into your computer.

How will they put your email conversations to work for them? Well, let’s see. There’s your financial advisor, who’s been talking to you about your 401(k). Hmm. That’s good. Bet you have the password for that account stored on your computer. That makes it easy.

But wait, what if you “forgot” your password. The hacker can go to the website with your 401(k) and use your email address to reset the password. If that security is lax – say, for example, there’s no two-factor authentication – the hacker can have your email address routed to his, and now he’s in your account and can clean it out.

Of course, that could be just part of his haul. He knows who your financial advisor is, and maybe their system isn’t 100 percent locked down. You can imagine the fallout.

What if you’re involved in a large business transaction, such as buying a business or even a house? Your attorney may be dealing with a financial institution or two – even through another attorney. Again, a hacker can insert himself in a conversation with any party connected to the money, spoofing your email address or that of anyone involved. And once the hacker is into that next system, it opens more doors.

Just to add to your “watch list” when checking your email, also be wary of somebody sending you updated files that you are not expecting. We have a client who clicked on a PDF and wound up with an infected computer. Fortunately, it caused a major inconvenience more than anything else. Because all of the client’s files were backed up offsite, we had to wipe the computer clean and then find the infected files to delete from the backup. We were able to fully restore everything after that, but it took 18 hours.

So, let’s recap the steps you need to take:

  • Look before you click. Do I get this kind of email message from this sender on a regular basis? Is this an offer that’s too good to be true? Is there anything that looks just the least bit out of the ordinary – even if it’s from a sender I know and trust? Remember, you can always access the sender’s website from your Internet browser instead of the email, or you can pick up the telephone and call a company or a person.
  • If something looks odd even before you open the email, just delete it. I am amazed at how many people just let something suspicious just sit there.
  • Don’t conduct financial business or visit passworded sites while on a public Wi-Fi network. Non-secured networks can be viewed by anyone from anywhere.
  • Be very careful with flash drives. Someone can use one to invade your computer. If you are running a good anti-virus or anti-malware program, it should intercept any external device and give you the option to scan it.
  • Keep your anti-virus and anti-malware software up to date. And make sure they’re both running.

Finally, if you suspect your computer has been infected with a virus, call us immediately at 973-433-6676. We can assess your system and begin the process of restoring its health. If you have any questions about online security, call us or email us. We all have too much at stake.

Two More Tips to Protect Your Money

  1. When you travel by air, don’t just throw your boarding pass in the first trash bin you find in the terminal. The barcode on the pass has a wealth of information, including your frequent flyer account information – and any other personal information in that database – and your itinerary, which can let somebody know how far away from home you are and how long you will be away. If you can’t shred it, tear it into pieces that also separate the barcode and throw them into different trash bins.
  2. Check all of your financial accounts frequently, especially with business bank accounts. When you have a lot of money coming in and going out electronically, that means a lot bank treasury departments are accessing your account. If you monitor the accounts regularly, you have a much better chance of catching fraudulent activity.

Cybersecurity Checklist

We doubt the Russians or WikiLeaks are looking into your computer, but there’s a good chance somebody is. Want to get ahead of any possible problems? Try this checklist.

  • Update your software – Security patches are almost always the feature of any software update for your operating system and application software, including Internet browsers. You can set your computers, servers and mobile devices to notify you when an update is available or have it installed automatically. Do it. It’s as simple as that.
  • Limit admin accounts – There are two things to shore up here. First, limit the number of people in your organization – or household – who have administrative rights to your system. The more people who have access to the inner workings of your system, the more possibilities there are for somebody to leave an electronic door open to an invader. As another precaution, always run your PC as a non-administrator unless strictly necessary.
  • Enable your firewall – This should be a no-brainer. It’s the first line of defense against hackers infiltrating your entire IT system or any computer in your system that goes out onto the Internet. Make sure you have it set to manage inbound and outbound traffic.
  • Use anti-virus and anti-spyware – This goes hand-in-hand with enabling your firewall. These programs are designed to stop viruses, worms and other forms of malware. They can also stop pop-ups and other threats. Make sure every computer and device (where appropriate) is regularly scanned by the anti-virus and anti-spyware software, and don’t let licenses lapse.
  • Beware of wireless – Enable encryption, turn off SSID broadcasting and use the MAC filtering feature. Be wary whenever out of the office using Wi-Fi.
  • Protect mobile devices – Always use passwords, screen locks and auto locks on mobile devices, and encrypt data transmissions when possible.
  • Use strong passwords – The latest research shows that longer passwords are stronger, and you should always have a mix of upper and lower case letters, numbers and special characters. Change your password often and don’t use anything that can be related to your email address.
  • Backup your files – We can’t emphasize this enough – and we strongly encourage you to back up files offsite, on a cloud-based server. Have an automated backup and recovery plan in place for key data residing on your network vital for every computer user and organization. We’ve talked about ransomware before, and have securely backed-up files is your best protection.
  • Trust your gut – This is worth repeating, too: If a website, email or window on your PC offers you something that’s too good be true, ignore it or delete it. If something looks odd or out place, ignore it or delete it. Most companies, especially banks and credit card companies, don’t ask for personal information in an email. Don’t click a link. Instead, log back on to your browser and go to the website address you’ve used before to see what that company has to say.
  • Train your staff or family – Most cybersecurity breaches happen because of human error. Train your staff or your family members on how to be more secure while using computers and mobile devices on the Internet. Remember how you’ve told your kids not to talk to strangers or get into a stranger’s car? It’s the same in the cyber world.

We can help you with any of cybersecurity concerns and needs. Call us – 973-433-6676 – or email us to get answers to your questions or to set up a training session.